##(see the SpecSpec for an explanation)

 * '''Launchpad Entry''': [[https://blueprints.launchpad.net/ubuntu/+spec/server-maverick-openldap-dit|server-maverick-openldap-dit]]
 * '''Created''': [[Asommer|Adam Sommer]]
 * '''Contributors''': 
 * '''Packages affected''': slapd, openldap-dit

== Summary ==

Provide a method to create a basic level DIT for OpenLDAP.  The [[https://blueprints.launchpad.net/openldap-dit|openldap-dit]] project currently has a script that provides a very extensive DIT.  This spec will cover using either the openldap-dit package or a version of it to provide a basic DIT for OpenLDAP.

== Release Note ==

TBD

== Rationale ==

The slapd package no longer has the ability to create a basic level Directory Information Tree, which is a burden for users not very familiar with OpenLDAP.  This can also be seen as a regression from previous versions of the package.

The current slapd package is not very useful for a substantial amount of users because it does not provide a basic level DIT.

== User stories ==

From bug [[https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/442498|442498]]:

{{{
The lack of a simple way of setting up a working basic ldap-service is a serious problem. I've basically resigned to either using a really old package that's not broken in this way or just forgetting about ldap in ubuntu.

What's the reasoning behind upgrading a package from "too old" to "unusable" ?
}}}

Also from Derek Simkowiak:

{{{
In my opionion, the new (useless) slapd package should not have shipped until the accompanying slapd-dit was ready. It basically broke LDAP for everyone but experts, and now Mathias doesn't have time to fix it.

Mathias, can you make slapd-dit a priority? It's been several months since a usable slapd has been available for Ubuntu.
}}}

== Assumptions ==

 * The '''openldap-dit-setup.sh''' can be modified to provide only a base level DIT.

== Design ==

 * Create a opneldap-dit-core package that will create a very basic DIT.
 * Create openldap-dit-$service packages for adding modules, schemas, acls, etc for additional services.
  * openldap-dit-userandgroups
  * openldap-dit-replication
  * openldap-dit-samba
  * openldap-dit-mit-kerberos
  * openldap-dit-sudo
  * openldap-dit-postfix
  * openldap-dit-dns
  * openldap-dit-dhcp
  * openldap-dit-autofs

 * Use standard directory structure and file names for the needed LDIF files to allow easy addition of new services.

== Implementation ==

 * Get the [[https://code.launchpad.net/~asommer/openldap-dit/openldap-dit-split|openldap-dit-split]] branch, or a version of it, merged into the openldap-dit trunk branch.

 * Create a directory for each service containing ''$service''-dit.ldif, ''$service''-modules.ldif, ''$service''-acls.ldif, etc.
 * Migrate the openldap-dit.sh script to a postinst script.
 * Use debconf to prompt the user for domain and admin password information in the openldap-dit-core package.
 * postinst should check the current DIT before adding additional modules, acls, etc.

=== UI Changes ===

 * openldap-dit-setup.sh will be integrated into various openldap-dit-$service package's postinst scripts.

 * Maybe a new script will be able to setup syncing in a few quick commands.

=== Code Changes ===

 * Migrate openldap-dit-setup.sh to package postinst.

=== Migration ===

== Test/Demo Plan ==

 * Install slapd and ldap-utils packages.
 * Install the openldap-dit package.
 * Execute the /usr/share/slapd/openldap-dit/openldap-dit-setup.sh script.
 * Upon successful completion of the script a basic DIT should be created.
 * View the Directory with: ldapsearch -xLLL -b $suffix
  * $suffix will be determined by the hosts domain name, or manually entered by the user.

== Unresolved issues ==

== BoF agenda and discussion ==

  * Discuss direction of openldap-dit project.
 * Propose to modularize openldap-dit-setup.sh. - Approved
 * Determine what objects are needed for base level DIT. - Did some, but may need more discussion or clarification.
 * Is there ways to integrate DIT creation/management with puppet? - probably don't need since it will be postinst.
 * Design the tool like quickly, rails, etc to have short command line options to build 
   the DIT. - Design is to use package postinst scripts to add the DITs.
 * Recommend the base DIT follow the rfc2307bis.
   * Where did the rfc2307bis.ldif file come from, was it part of another package?
   * Current Server Guide uses nis.ldif, but rfc2307bis.ldif is a better way to go.


 * Create base DIT during openldap-dit package installation.
 
 * IDMap is samba specific and can be removed into the Samba sevice.
  * Hosts is for Samba
 
 * Check for System Accounts and System Groups before adding more service DITs.
 
 * Another script to create add the replicator DIT.
 
 * openldap-dit-core (depends on slapd) - creates suffix during package install
   * user-group
   * kerberos
   * dhcp
   * dns
   
 * Move databases LDIFs to acls directory. '''Done in revision 68.'''
 
 * Provide best practices for developing DIT modules
  * Standard way to provide schemas, modules, overlays, acls, base DIT structures
  
 * Divide openldap-dit package into openldap-$service packages.
  * Add the local sudo auth string to the first ACL frontend DIT.
 
 
 * To modify ACL for new service:
  * LDAP search for ACL to find last index number using grep -c.
  * Do ldapmodify to replace the last number with the new ACL.
  
  
 * Actions
  * Create openldap-dit-core package.
  * Create openldap-dit-usergroup package.

----
CategorySpec